feat(syndesis): mDNS discovery, pairing protocol, and renderer registry

Implements task #124: QUIC-ready transport layer, renderer pairing handshake,
session authentication, mDNS advertisement/discovery, and renderer management API.

- syndesis: new crate — TLS cert generation + fingerprinting (rcgen/sha2),
  protocol frames (newline-delimited JSON), argon2id API key hashing,
  pairing handshake (TOFU cert pinning), session init handler with tests
- harmonia-db: renderers table (migration 008) + full CRUD repo
- paroche: mDNS advertisement (mdns-sd 0.18 DaemonEvent::Announce),
  renderer management routes (GET/DELETE/PATCH) behind RequireAdmin
- harmonia-host: renderer-side mDNS discovery with preferred-fingerprint
  sorting, TOML credential storage, `harmonia render` CLI subcommand

Gate-Passed: kanon 0.1.0

Author: Cody Kickertz

Cargo.lock

@@ -14,13 +14,13 @@ members = [
     "crates/zetesis",
     "crates/ergasia",
     "crates/syndesmos",
+    "crates/syndesis",
     "crates/aitesis",
     "crates/syntaxis",
     "crates/harmonia-host",
     "crates/prostheke",
     "crates/theatron/core",
     "crates/akouo-core",
-    "crates/syndesis",
 ]
 exclude = [
     "akouo/shared/akouo-core",
@@ -46,12 +46,12 @@ komide          = { path = "crates/komide" }
 zetesis         = { path = "crates/zetesis" }
 ergasia         = { path = "crates/ergasia" }
 syndesmos       = { path = "crates/syndesmos" }
+syndesis        = { path = "crates/syndesis" }
 aitesis         = { path = "crates/aitesis" }
 syntaxis        = { path = "crates/syntaxis" }
 prostheke       = { path = "crates/prostheke" }
 theatron-core   = { path = "crates/theatron/core" }
 akouo-core      = { path = "crates/akouo-core" }
-syndesis        = { path = "crates/syndesis" }
 
 # ── Async runtime ──────────────────────────────────────────────────────────────
 tokio           = { version = "1", features = ["full"] }
@@ -117,11 +117,19 @@ fast_image_resize   = "6.0"
 # ── QUIC transport ─────────────────────────────────────────────────────────────
 quinn           = "0.11"
 rustls          = { version = "0.23", default-features = false, features = ["ring", "std"] }
-rcgen           = "0.13"
+rcgen           = { version = "0.13", features = ["pem"] }
 
 # ── mDNS discovery ────────────────────────────────────────────────────────────
 mdns-sd         = "0.18"
 
+# ── Crypto utilities ──────────────────────────────────────────────────────────
+sha2            = "0.10"
+base64          = "0.22"
+rand_core       = { version = "0.6", features = ["getrandom"] }
+
+# ── TOML (credential files) ───────────────────────────────────────────────────
+toml            = "0.8"
+
 # ── Scheduling ────────────────────────────────────────────────────────────────
 tokio-cron-scheduler = "0.15"
 

Cargo.toml

@@ -0,0 +1,12 @@
+-- Renderer registry: tracks paired playback renderers.
+CREATE TABLE renderers (
+    id               TEXT    PRIMARY KEY,
+    name             TEXT    NOT NULL,
+    api_key_hash     TEXT    NOT NULL,
+    cert_fingerprint TEXT    NOT NULL,
+    last_seen        TEXT,
+    paired_at        TEXT    NOT NULL,
+    enabled          INTEGER NOT NULL DEFAULT 1
+);
+
+CREATE INDEX idx_renderers_enabled ON renderers (enabled);

crates/harmonia-db/migrations/008_renderers.sql

@@ -8,6 +8,7 @@ pub mod play_history;
 pub mod podcast;
 pub mod quality;
 pub mod registry;
+pub mod renderer;
 pub mod tv;
 pub mod user;
 pub mod want;

crates/harmonia-db/src/repo/mod.rs

@@ -0,0 +1,191 @@
+// Renderer registry: CRUD for paired playback renderers
+use sqlx::SqlitePool;
+
+use crate::error::{DbError, QuerySnafu};
+use snafu::ResultExt;
+
+#[derive(Debug, Clone, sqlx::FromRow)]
+pub struct Renderer {
+    pub id: String,
+    pub name: String,
+    pub api_key_hash: String,
+    pub cert_fingerprint: String,
+    pub last_seen: Option<String>,
+    pub paired_at: String,
+    pub enabled: i64,
+}
+
+pub async fn create_renderer(
+    pool: &SqlitePool,
+    id: &str,
+    name: &str,
+    api_key_hash: &str,
+    cert_fingerprint: &str,
+) -> Result<Renderer, DbError> {
+    let now = jiff::Zoned::now()
+        .strftime("%Y-%m-%dT%H:%M:%SZ")
+        .to_string();
+    sqlx::query(
+        "INSERT INTO renderers (id, name, api_key_hash, cert_fingerprint, last_seen, paired_at, enabled)
+         VALUES (?, ?, ?, ?, NULL, ?, 1)",
+    )
+    .bind(id)
+    .bind(name)
+    .bind(api_key_hash)
+    .bind(cert_fingerprint)
+    .bind(&now)
+    .execute(pool)
+    .await
+    .context(QuerySnafu { table: "renderers" })?;
+
+    get_renderer(pool, id)
+        .await?
+        .ok_or_else(|| DbError::NotFound {
+            table: "renderers".to_string(),
+            id: id.to_string(),
+            location: snafu::location!(),
+        })
+}
+
+pub async fn get_renderer(pool: &SqlitePool, id: &str) -> Result<Option<Renderer>, DbError> {
+    sqlx::query_as::<_, Renderer>(
+        "SELECT id, name, api_key_hash, cert_fingerprint, last_seen, paired_at, enabled
+         FROM renderers WHERE id = ?",
+    )
+    .bind(id)
+    .fetch_optional(pool)
+    .await
+    .context(QuerySnafu { table: "renderers" })
+}
+
+pub async fn list_renderers(pool: &SqlitePool) -> Result<Vec<Renderer>, DbError> {
+    sqlx::query_as::<_, Renderer>(
+        "SELECT id, name, api_key_hash, cert_fingerprint, last_seen, paired_at, enabled
+         FROM renderers ORDER BY paired_at DESC",
+    )
+    .fetch_all(pool)
+    .await
+    .context(QuerySnafu { table: "renderers" })
+}
+
+pub async fn update_last_seen(pool: &SqlitePool, id: &str) -> Result<(), DbError> {
+    let now = jiff::Zoned::now()
+        .strftime("%Y-%m-%dT%H:%M:%SZ")
+        .to_string();
+    sqlx::query("UPDATE renderers SET last_seen = ? WHERE id = ?")
+        .bind(&now)
+        .bind(id)
+        .execute(pool)
+        .await
+        .context(QuerySnafu { table: "renderers" })?;
+    Ok(())
+}
+
+pub async fn set_enabled(pool: &SqlitePool, id: &str, enabled: bool) -> Result<(), DbError> {
+    sqlx::query("UPDATE renderers SET enabled = ? WHERE id = ?")
+        .bind(if enabled { 1i64 } else { 0i64 })
+        .bind(id)
+        .execute(pool)
+        .await
+        .context(QuerySnafu { table: "renderers" })?;
+    Ok(())
+}
+
+pub async fn rename_renderer(pool: &SqlitePool, id: &str, name: &str) -> Result<(), DbError> {
+    sqlx::query("UPDATE renderers SET name = ? WHERE id = ?")
+        .bind(name)
+        .bind(id)
+        .execute(pool)
+        .await
+        .context(QuerySnafu { table: "renderers" })?;
+    Ok(())
+}
+
+pub async fn delete_renderer(pool: &SqlitePool, id: &str) -> Result<(), DbError> {
+    sqlx::query("DELETE FROM renderers WHERE id = ?")
+        .bind(id)
+        .execute(pool)
+        .await
+        .context(QuerySnafu { table: "renderers" })?;
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::migrate::MIGRATOR;
+    use sqlx::SqlitePool;
+
+    async fn setup() -> SqlitePool {
+        let pool = SqlitePool::connect("sqlite::memory:").await.unwrap();
+        MIGRATOR.run(&pool).await.unwrap();
+        pool
+    }
+
+    fn renderer_id() -> String {
+        uuid::Uuid::now_v7().to_string()
+    }
+
+    #[tokio::test]
+    async fn renderer_crud() {
+        let pool = setup().await;
+        let id = renderer_id();
+
+        // create
+        let r = create_renderer(&pool, &id, "Living Room", "hash1", "fp1")
+            .await
+            .unwrap();
+        assert_eq!(r.name, "Living Room");
+        assert_eq!(r.enabled, 1);
+        assert!(r.last_seen.is_none());
+
+        // get
+        let fetched = get_renderer(&pool, &id).await.unwrap().unwrap();
+        assert_eq!(fetched.api_key_hash, "hash1");
+        assert_eq!(fetched.cert_fingerprint, "fp1");
+
+        // update_last_seen
+        update_last_seen(&pool, &id).await.unwrap();
+        let updated = get_renderer(&pool, &id).await.unwrap().unwrap();
+        assert!(updated.last_seen.is_some());
+
+        // rename
+        rename_renderer(&pool, &id, "Kitchen").await.unwrap();
+        let renamed = get_renderer(&pool, &id).await.unwrap().unwrap();
+        assert_eq!(renamed.name, "Kitchen");
+
+        // disable
+        set_enabled(&pool, &id, false).await.unwrap();
+        let disabled = get_renderer(&pool, &id).await.unwrap().unwrap();
+        assert_eq!(disabled.enabled, 0);
+
+        // re-enable
+        set_enabled(&pool, &id, true).await.unwrap();
+        let enabled = get_renderer(&pool, &id).await.unwrap().unwrap();
+        assert_eq!(enabled.enabled, 1);
+
+        // delete
+        delete_renderer(&pool, &id).await.unwrap();
+        assert!(get_renderer(&pool, &id).await.unwrap().is_none());
+    }
+
+    #[tokio::test]
+    async fn list_renderers_empty() {
+        let pool = setup().await;
+        let result = list_renderers(&pool).await.unwrap();
+        assert!(result.is_empty());
+    }
+
+    #[tokio::test]
+    async fn list_renderers_multiple() {
+        let pool = setup().await;
+        let id1 = renderer_id();
+        let id2 = renderer_id();
+
+        create_renderer(&pool, &id1, "A", "h1", "f1").await.unwrap();
+        create_renderer(&pool, &id2, "B", "h2", "f2").await.unwrap();
+
+        let list = list_renderers(&pool).await.unwrap();
+        assert_eq!(list.len(), 2);
+    }
+}